Feature: replace the head by commitSHA/version tag to specify a version when checking the dependency-diff #2065
Labels
Comments
aidenwang9867
changed the title
aidenwang9867
changed the title
aidenwang9867
changed the title
|
We might not have this implemented until (1) the Scorecard REST API supports query by a version tag or (2) the GitHub Dependency Review API returns the commitSHA of a dependency. |
|
This issue is stale because it has been open for 60 days with no activity. |
|
This issue is stale because it has been open for 60 days with no activity. |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
In v0 (issue #2008, PR #2030, #2046, #2077), we use the default headSHA of the dependency repo to check and report its security state. However, this is somehow imprecise since users use different versions of dependencies (so it doesn't have to be the version in the head commit).
Describe the solution you'd like
Use the incoming scorecard REST API that supports scorecard results fetching by either a commitSHA or a version tag to replace the default headSHA (HEAD), in order to better report the security states of users' dependency changes.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
This is a TODO introduced in PR #2046.
The text was updated successfully, but these errors were encountered: